Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-05-27T00:00:00 kernel: Bluetooth: hci_event: fix potential UAF in SSP passkey handlers 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CWE-413

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: fix potential UAF in SSP passkey handlers hci_conn lookup and field access must be covered by hdev lock in hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), otherwise the connection can be freed concurrently. Extend the hci_dev_lock critical section to cover all conn usage in both handlers. Keep the existing keypress notification behavior unchanged by routing the early exits through a common unlock path.

A flaw was found in the Linux kernel's Bluetooth subsystem. This vulnerability, a Use-After-Free (UAF), exists within the Secure Simple Pairing (SSP) passkey handlers. It occurs when `hci_conn` lookup and field access are performed without proper locking, allowing a connection to be freed concurrently. This could potentially enable a local attacker to cause a denial of service or execute arbitrary code.

Red Hat Enterprise Linux 10 Affected kernel Red Hat Enterprise Linux 6 Under investigation kernel Red Hat Enterprise Linux 7 Affected kernel Red Hat Enterprise Linux 7 Affected kernel-rt Red Hat Enterprise Linux 8 Affected kernel Red Hat Enterprise Linux 8 Affected kernel-rt Red Hat Enterprise Linux 9 Affected kernel Red Hat Enterprise Linux 9 Affected kernel-rt https://www.cve.org/CVERecord?id=CVE-2026-46056 https://nvd.nist.gov/vuln/detail/CVE-2026-46056 https://lore.kernel.org/linux-cve-announce/2026052754-CVE-2026-46056-0ff1@gregkh/T